Warning As New Malware Bypasses Network Security Measures To Enable Attacks On PCs
August 03: Another dire warning for Windows users this month, after threat researchers at Proofpoint disclosed “a previously undocumented malware.” This one had a twist, though, this malware was not an attack in itself, it was an enabler, hiding on infected computers, establishing a proxy that other malware can then use to manage traffic to the PC and carry out their threats.
Dubbed by its finders as SystemBC, the new strain of malware uses SOCKS5 proxies to bypass security measures, creating a secure command and control tunnel for other malware to use. The researchers highlighted “well-known banking Trojans such as Danabot” as likely beneficiaries.
Proofpoint reported that SystemBC is being distributed through exploit kits—compromised websites that identify vulnerabilities and plant malware as users browse the web. SystemBC is simultaneously dropped onto a target machine alongside dangerous malware, which it will then enable, protecting and cloaking traffic back and forth as that malware operates. The researchers found SystemBC in both the RIG and Fallout exploit kits. The idea that multiple threats can be combined into a single campaign is not new—but the approach taken by SystemBC to relay traffic for dangerous attacks is a nasty twist.
It was actually while studying exploit kits that Proofpoint’s researchers found SystemBC. On June 4, the team was analyzing a Fallout exploit kit campaign and “observed the distribution of a previously unseen proxy malware.” The new strain was seen by the team again on June 6—again delivered via a Fallout campaign, this time alongside the Danabot banking Trojan.
There were further sightings of the malware “in the wild” in July, in further campaigns. It was this discovery of SystemBC in multiple unconnected threat campaigns that led to Proofpoint to conclude that SystemBC “was very likely being sold in an underground marketplace.” With this in mind, the researchers linked SystemBC to an advert found on an underground forum in May for a “socks5 back-connect system” that appeared to match what they had now found.
This is an alarming enough development that Proofpoint titled its discovery as “Christmas in July” for malware and exploit kits. If the researchers are right, and this new malware is available for purchase to facilitate multiple attack campaigns, then you can expect to hear much more about it over the coming weeks and months.
And so the usual advice applies—keep everything Windows-related patched, and keep a watchful eye on legacy systems that become more of vulnerability as time goes by. Remember, it only takes a single unprotected endpoint to put an entire network at risk.
Source: Forbes / Zak Doffman